This document illustrates two Cisco Secure PIX Firewall devices that
run a simple VPN tunnel from PIX 1 to PIX 2 over a public network using IPSec.
A Cisco VPN Client 4.x connects to PIX 1. The configuration uses pre-shared
keys (wild-cards for the clients' IPs), and mode configuration for the
clients.

Note: The VPN Client can access the LAN behind PIX 1, but not the LAN
behind PIX 2. The PIX does not redirect traffic.

The information in this document is based on these software and
hardware versions:

PIX Firewall Version 6.3 (1)

Note: The show version command must show that
encryption is enabled.

VPN Client Version 4.0.2 (A)

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

If static and dynamic peers are configured on the same crypto map, the
order of the crypto map entries is very important. The sequence number of the
dynamic crypto map entry must be higher than all of the other static crypto map
entries. If the static entries are numbered higher than the dynamic entry,
connections with those peers fail.

This is an example of a properly numbered crypto map that contains a
static entry and a dynamic entry. Note that the dynamic entry has the highest
sequence number and room has been left to add additional static entries: